Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

Michael Clark <michael@metaparadigm.com> Wed, 24 December 2014 13:13 UTC

Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716781ACD9C for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 05:13:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.468
X-Spam-Level:
X-Spam-Status: No, score=-1.468 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, IP_NOT_FRIENDLY=0.334, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5A1oqFEmTl3 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 05:13:06 -0800 (PST)
Received: from klaatu.metaparadigm.com (klaatu.metaparadigm.com [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B2A01ACDB4 for <tls@ietf.org>; Wed, 24 Dec 2014 05:12:58 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.90.50] (may be forged)) (authenticated bits=0) by klaatu.metaparadigm.com (8.14.4/8.14.4/Debian-4) with ESMTP id sBODXrPE010477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 24 Dec 2014 13:33:56 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1419428039; bh=zmFyxn17u9zab0odQIPwuWbV2L+QJd0uQ7RF/1l+a30=; h=Date:From:To:Subject:References:In-Reply-To:From; b=a2LE3MdfyljUEJMMMdGIdslRe8mBO709RECtmkvnbJ+0Q41nL293S74r9V4+jzoOf cXuIlulUTKErafcaSjgD58yAyG1qOxZGd1tcqquMJ2/A5GDa1DmxX268u+u2lLc/TI VIP+P3ej1kTFmvdUcqL2gNn/GQFw8myT52xcL8jI=
Message-ID: <549ABBC9.6070406@metaparadigm.com>
Date: Wed, 24 Dec 2014 21:12:41 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm Pte Ltd
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF49636@uxcn10-tdc05.UoA.auckland.ac.nz> <549A804E.6080408@metaparadigm.com>
In-Reply-To: <549A804E.6080408@metaparadigm.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.metaparadigm.com
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UWOi04XvwM5F0OvtUw6yy_BY88M
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 13:13:08 -0000

On 24/12/14 4:58 pm, Michael Clark wrote:
> On 24/12/14 2:15 pm, Peter Gutmann wrote:
>> Michael Clark <michael@metaparadigm.com>; writes:
>>
>>> I have been doing some independent research on TLS AEAD ciphers and decided
>>> to share a meta-analysis on AES-GCM versus AES-EAX/AES-CCM
>>
>> If you're going to look at these, what about also looking at encrypt-then-MAC,
>> which is another AEAD mechanism?

CBC is MAC-then-encrypt in TLS1.2, however encrypt-then-MAC is the
current best practice? encrypt-then-MAC allows you to verify message
integrity before decryption and abort sessions after a (small) error
count to mitigate any brute forcing over the wire (without cost of
decryption). With MAC-then-encrypt you need to decrypt before you can
verify the MAC.

Also from TLSv1.2 6.2.3.3. "No MAC key is used." with AEAD.


If you replaced MAC-then-encrypt with encrypt-then-MAC in TLSv1.3 then
you could alter the behavior of the new encrypt-then-MAC to make it work
for non AEAD ciphers like CBC as well to (optionally) augment the
message authentication bits for AEAD ciphers that are currently limited
to 128 bits. I'm not talking about the common case where AES_128_GCM and
128-bit tags is a good start for SSL everywhere. I'm talking about cases
where the overhead of 3 passes may be acceptable. Also consider this a
pencil sketch. Of course servers that want to maintain backwards
compatibility would need to keep encrypt then Mac. These are just ideas.


A TLSv1.3 ClientHello and ServerHello extensions could advertise
something like this this:

enum { AuthBits128, AuthBits256, AuthBits384, AuthBits512}
MessageAuthenticationBits;

struct {
  MessageAuthenticationBits minimum_authentication_bits;
  MessageAuthenticationBits preferred_authentication_bits;
} MessageAuthSecurity;


The client and server choose a MacAlgorithm based on the combination of
the negotiated cipher's authentication tag bits (0 bits for non AEAD
ciphers) and the bits of the mac algorithms present in
SecurityParameters.mac_algorithms. A (null) MacAlgorithm may be chosen
if the cipher's AEAD tag bits meets the minimum or preferred
authentication bits or a suitable MacAlgorithm could be chosen to
provide the remaining bits. For non AEAD ciphers a MacAlgorithm would be
chosen that matches the minimum or preferred authentication bits. The
policy over the the choice of minimum or preferred message
authentication bits would need to be considered.

A negotiated MessageAuthenticationBits message_authentication_bits could
be added to the TLSv1.3 SecurityParameters along with MACAlgorithm
mac_algorithm which may or may not be (null) with an AEAD cipher.


If the client or server wanted 128 message authentication bits:

* AEAD cipher with 128 bit auth tag, (null) MacAlgorithm and no
encrypt-then-MAC at the TLS layer. AD would be be passed to the AEAD cipher.

* non AEAD cipher, hmac_sha128 with encrypt-then-MAC at the TLS layer.
AD would be prefixed in the MAC in the TLS layer encrypt-then-MAC when a
non AEAD cipher was used (currently the MAC is a suffixed in the
MAC-then-encrypt scheme in TLSv1.2).


If the client or server wanted 256 message authentication bits

* AEAD cipher with 128 bit auth tag, hmac_sha128 MacAlgorithm with
encrypt-then-MAC at the TLS layer. AD would be be passed to the AEAD cipher.

* non AEAD cipher, hmac_sha256 with encrypt-then-MAC at the TLS layer.
AD would be prefixed in the MAC in the TLS layer encrypt-then-MAC when a
non AEAD cipher was used (currently the MAC is a suffixed in the
MAC-then-encrypt scheme in TLSv1.2).


This is based on the observation that SHA1 is being phased out; however
it may well be that based on the nonce lifetime this is not needed. That
said some applications may like the idea of having Cipher based MAC in
an AEAD cipher combined with a PRF based MAC as they both have different
properties

And when I refer to the collision properties of Cipher based MACs I'm
referring to one block of course (the size of the tag).

Michael.